Closed patrickg2525 closed 5 years ago
josephbleroy
commented
5 years ago It seems some subscriptions are only applicable to Domain Controllers, and others are Server or Workstation specific.
In some instances, such as Kerberos events (4768, 4769), the subscription will only need to be enabled for Domain Controllers. These events aren't generated on client workstations.
patrickg2525
commented
5 years ago It seems some subscriptions are only applicable to Domain Controllers, and others are Server or Workstation specific.
In some instances, such as Kerberos events (4768, 4769), the subscription will only need to be enabled for Domain Controllers. These events aren't generated on client workstations.
That's my point (and my question)... why does the SDDL for all of the subscriptions the same since some subscriptions are not applicable to certain groups? Is that oversight or intended?
cryps1s
commented
5 years ago Hey folks, thanks for the ping on this.
Internally, we use a CI/CD pipeline to swap the SDDL based upon where we want to deploy it. We opted to leave it with very permissive SDDLs externally to reduce friction in adoption.
Depending on how you deploy WEF servers (e.g. you push servers to a dedicated WEF box), you might want to adjust the SDDL itself to be more granular or permissive. Either way, select what works best for your environment.
Hope this helps.
Hello, First and again - thanks for all the great work yall have put into this!
I'm noticing that the SDDL for the AllowedSourceDomainComputers param is the same for all of the subscriptions: O:NSG:NSD:(A;;GA;;;DC)(A;;GA;;;NS)(A;;GA;;;DD)
Is that the intent? It seems some subscriptions are only applicable to Domain Controllers, and others are Server or Workstation specific.
Thanks!